configured API BASE URL is not used for login webflow

[uvwild]

We are running a safe installation without public DNS in a complex secured environment.
When I analyse the login flow the request does not use the API_BASE_URL configured in /app/static/config.json
(https://dtrackapi.domain)
but instead uses the FE_BASE_URL resulting in a 405 error

This does not look as described.

the faulty request copied from firefox (domain redacted):

curl "https://dtrackfe.domain/api/v1/user/login" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0" -H "Accept: application/json, text/plain, /" -H "Accept-Language: en-US,en;q=0.5" --compressed -H "Content-Type: application/x-www-form-urlencoded" -H "Origin: https://dtrackfe.domain" -H "Connection: keep-alive" -H "Referer: https://dtrackfe.domain/login?redirect="%"2Fdashboard" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: same-origin" -H "Pragma: no-cache" -H "Cache-Control: no-cache" --data-raw "username=admin&password=admin"

Versions:
dependencytrack/frontend latest 72cbc720c2a8 11 days ago 59.2MB
dependencytrack/apiserver latest b3d93dda0d2b 12 days ago 266MB

(it would be helpful to find the version numbers in the containers somewhere)

[uvwild]

docker pull dependencytrack/frontend
Using default tag: latest
latest: Pulling from dependencytrack/frontend
Digest: sha256:f86341a3d731485c022244294f28e7f832e74e78e0343294b512c389d447a4a1
Status: Image is up to date for dependencytrack/frontend:latest
docker.io/dependencytrack/frontend:latest

docker pull dependencytrack/apiserver
Using default tag: latest
latest: Pulling from dependencytrack/apiserver
Digest: sha256:33ca1531557ff86640b7bb3fc559b130b460564ebe1832f6aba5420e9e863b67
Status: Image is up to date for dependencytrack/apiserver:latest
docker.io/dependencytrack/apiserver:latest

[uvwild]

i verified along the call chain that the POST request arrives at the service, just at the frontend endpoint vs. the api endpoint.
When using curl POST against the api endpoint with some user/password fields I get a meaningful response,

The docker-compose says
# * The frontend container itself does NOT communicate with the API server directly, it just serves static files.
# * When deploying to dedicated servers, please use the external IP or domain of the API server.
- API_BASE_URL=https://myapiendpoint

this setting is ignored during login.

[uvwild]

https://app.bountysource.com/issues/106780030-api-server-is-unavailable-via-frontend-gui
this looks like a very similar issue

[nscuro]

Ah, it looks like this was a breaking change introduced in #141 that we missed to update the documentation for. Since 4.5.0, config.json is now located in /opt/owasp/dependency-track-frontend/static/config.json instead of /app/static/config.json.

Can you try changing the path you're mounting your config file into and see if that resolves your issue? I'll update the documentation accordingly.

(it would be helpful to find the version numbers in the containers somewhere)

Containers are labeled. Version and Git revision are included:

$ docker inspect dependencytrack/frontend:4.5.1 | jq '.[].Config.Labels'
{
  "maintainer": "steve.springett@owasp.org",
  "org.opencontainers.image.description": "Dependency-Track is an intelligent Component Analysis platform",
  "org.opencontainers.image.licenses": "Apache-2.0",
  "org.opencontainers.image.revision": "90e1b44a9f5beefc14591773b4edd15e76452895",
  "org.opencontainers.image.source": "https://github.com/DependencyTrack/frontend",
  "org.opencontainers.image.title": "Official Dependency-Track Frontend Container image",
  "org.opencontainers.image.url": "https://dependencytrack.org/",
  "org.opencontainers.image.vendor": "OWASP",
  "org.opencontainers.image.version": "4.5.1"
}

[nscuro]

Closing as the change has since been included in both the documentation and the changelog.